Nature and the Internet both came without privacy.
The difference is that we’ve invented privacy tech in the natural world, starting with clothing and shelter, and we haven’t yet done the same in the digital world.
When we go outside in the digital world, most of us are still walking around naked. Worse, nearly every commercial website we visit plants tracking beacons on us to support the extractive economy in personal data called adtech: tracking-based advertising.
In the natural world, we also have long-established norms for signaling what’s private, what isn’t, and how to respect both. Laws have grown up around those norms as well. But let’s be clear: the tech and the norms came first.
Yet for some reason many of us see personal privacy as a grace of policy. It’s like, “The answer is policy. What is the question?”
Two such answers arrived with this morning’s New York Times: Facebook Is Not the Problem. Lax Privacy Rules Are., by the Editorial Board; and Can Europe Lead on Privacy?, by ex-FCC Chairman Tom Wheeler. Both call for policy. Neither see possibilities for personal tech. To both, the only actors in tech are big companies and big government, and it’s the job of the latter to protect people from the former.
What they both miss is that we need big people. We can only get those is with with big tech for each of us.
We got it with personal computing and with the Internet itself, which was designed to make everyone an Archimedes. We also got a measure of it with the phones and tablets we carry around in our pockets and purses. None are yet as private as they should be, but making them fully private is the job of tech.
*BTW, I give huge props to the EU for the General Data Protection Regulation, which is causing much new personal privacy tech development and discussion. I also think it’s an object lesson in what can happen when an essential area of tech development is neglected, and gets exploited by others for lack of that development.
Also, to be clear, my argument here is not against policy, but for tech development. Without the tech and the norms it makes possible, we can’t have fully enlightened policy.
That’s because a massive personal data extraction industry has grown up around the simple fact that our data is there for the taking. Or so it seems. To them. And their apologists.
As a result, we’re at a stage of wanton data extraction that looks kind of like the oil industry did in 1920 or so:
It’s a good metaphor, but for a horrible business. It’s a business we need to reform, replace, or both. What we need most are new industries that grow around who and what we are as individual human beings—and as a society that values what makes us human.
Our data is us. Each of us. It is our life online. Yes, we shed some data in the course of our activities there, kind of like we shed dandruff and odors. But that’s no excuse for the extractors to frack our lives and take what they want, just because it’s there, and they can.
Now think about what love is, and how it works. How we give it freely, and how worthwhile it is when others accept it. How taking it without asking is simply wrong. How it’s better to earn it than to demand it. How it grows when it’s given. How we grow when we give it as well.
True, all metaphors are wrong, but that’s how metaphors work. Time is not money. Life is not travel. A country is not a family. But all those things are like those other things, so we think and talk about each of them in terms of those others. (By saving, wasting and investing time; by arriving, departing, and moving through life; by serving our motherlands, and honoring our founding fathers.)
Oil made sense as a metaphor when data was so easy to take, and the resistance wasn’t there.
But now the resistance is there. More than half a billion people block ads online, most of which are aimed by extracted personal data. Laws like the GDPR have appeared, with heavy fines for taking personal data without clear permission.
I could go on, but I also need to go to bed. I just wanted to get this down while it was in the front of my mind, where it arrived while discussing how shitty and awful “data is the new oil” was when it first showed up in 2006, and how sadly popular it has become since then:
It’s time for a new metaphor that expresses what our personal data really is to us, and how much more it’s worth to everybody else if we keep, give and accept it on the model of love.
Synopsis—Advertising supported publishing in the offline world by sponsoring it. In the online world, advertising has been body-snatched by adtech, which tracks eyeballs via files injected into apps and browsers, then shoots those eyeballs with “relevant” ads wherever the eyeballs show up. Adtech has with little or no interest in sponsoring a pub for the pub’s own worth. Worse, it encourages fake news (which is easier to produce than the real kind) and flooding the world with “content” rather than old-fashioned (and infinitely more worthwhile) editorial. When publishers agreed to funding by adtech, they sold their souls and their readers down a river full of fraud and malware, as well as indefensible manners. Fortunately, readers can bring both publishers and advertisers back into a soulful reunion. Helpfully, the GDPR makes it illegal not to, and that will be a huge issue as the deadline for compliance (next May 25th) approaches.
Do you think advertisers will pay enough for SafeAds to offset the losses publishers will have from selling fewer targeted ads due to privacy regs?
It’s a good question. (That’s what people say when they don’t have an answer, or can’t think of an easy one right away. But…) I thought about it, and replied with this:
Yes, and then some.
They’ll do it because there is more brand value to SafeAds.
The bigger question is for publishers: what business do they want to be in?
Do they want to operate barrels of “content” full of tracked fish baited there so adtech can shoot them with “interest-based” ads?
Or do they want to operate actual publications with good editorial that advertisers sponsor so their ads can be seen by readers who know those ads support the publication and are appropriate without being personal?
That’s the choice.
It helps that the second business — actual publishing — has been around for a couple hundred years, and even worked fine on the Web before publishers fell for the adtech sell.
Publishers sold a big piece of their soul when they consented to having their readers’ privacy violated, and with rampant impunity, by adtech. They also chose to ignore the fact that adtech is in the business of chasing eyeballs, not of sponsoring the good work publishers do, or of building brand reputation. (Which can’t be done by shooting people constantly with “interest-based” ads that mostly creep people out if they hit a bulls-eye.)
The GDPR, if it works like it should, will force publishers to fire adtech and normalize their relationship with readers. When that happens, publishers, advertisers, readers and agents for all three can start working out better business models than the creepy one we’ve had with adtech.
Ross quoted the first sentence of the second-to-last paragraph, which is probably the best one of the bunch he could have used. Most of the quotes he gathered from other folks in the biz were also very good. I study this topic a lot, and I still learned some new things. Hats off for that.
While I’m saluting what I just learned from Ross, however, I also want to visit some assumptions that surface in his piece. They aren’t his, but rather pretty much everybody’s, and that’s a problem. Here are four of them.
1) Consent can only go one way, meaning each of us should always be the ones consenting to terms proffered by sites and services. Here’s how Ross puts it:
The General Data Protection Regulation, which prevents brands from using a person’s data unless they have explicit permission to do so, could send more ad dollars to premium publishers that are more likely to obtain user consent than lower-quality publishers.
In fact consent can go the other way, meaning the publisher or advertiser can consent to our terms.
It is only because we made a Faustian bargain with client-server in 1995 that we remain stuck inside a model that assumes we “users” should always be second (and second-class) parties, with no choice but to agree as “clients” to terms proffered by server operators.
It helps that the Internet was designed so any one of us can be peers. This is an especially good design feature in the age that (at least I hope) begins with the GDPR.
One reason why I’m encouraged about the GDPR is that it says each of us can be “data controllers” as well as “data subjects.” (White & Case have a good unpacking of that, here.)
Tracking is the reason ad blocking, which has been around since 2003, didn’t hockey-stick toward the sky until 2012. That was when publishers and advertisers, led by the IAB, gave the middle finger to Do Not Track, which was merely a polite request not to be tracked that people could express in their browsers.
3) The best advertising is the most measurable, and is looking for a response from an individual.
That’s not true for advertising, but it is for direct response marketing (the wheat and chaff I talk about in the last cited piece). Unfortunately, as I say in that piece, “Madison Avenue fell asleep, direct response marketing ate its brain, and it woke up as an alien replica of itself.”
The outlines of that alien replica can be seen in what Ross cites here:
Eric Berry, CEO of native ad platform TripleLift, said the GDPR could lead to a reduction in programmatic ad spend because ad buyers will struggle to measure whether their ads lead to purchases. There’s uncertainty about how the law will be enforced, but if users have to give consent to individual publishers, demand-side platforms and attribution vendors, the attribution companies won’t likely have enough data to make accurate measurements, which will lead ad buyers to shift their dollars to other marketing tactics. This would hurt publishers that rely on programmatic ad revenue, he said.
There is a reason perhaps a $trillion has been spent on adtech and not one worldwide brand everyone can name has been created by it, much less sustained or helped in any way.
As Don Martisays, only real advertising can carry the full economic and creative signals required to create and sustain a brand. And, as Bob Hoffman hammers home constantly (and very artfully) in The Ad Contrarian, the ad industry’s equation of “digital” with tracking is based entirely on bullshit. (His term, and the right one.)
Direct response marketing, which began as junk mail, and which looks to measure results for every message, wasn’t designed for that, and can’t do it.
Calling direct response marketing advertising was one of the biggest mistakes the ad industry ever made and masks the real problem the GDPR invites, which is that we risk throwing out the SafeAds baby with the FakeAds (adtech) bathwater.
If all the GDPR leads publishers to do is (as Ross says in his piece) “use intrusive messages — like pop-ups or interstitials — to get user consent,” and the EU fails to fine publishers and their adtech funders for violating the spirit as well as the letter of the GDPR, the GDPR will be as big a fail as the useless cookie consent notices people see on European sites.
4) There’s nothing really wrong with adtech.
Pretty much everything is wrong about adtech, but perhaps the wrongest of the wrong is the problem Siva Vaidhyanathan (@sivasaid)visits in a NY Times piece titled Facebook Wins, Democracy Loses. Here’s a pull quote:
A core principle in political advertising is transparency — political ads are supposed to be easily visible to everyone, and everyone is supposed to understand that they are political ads, and where they come from. And it’s expensive to run even one version of an ad in traditional outlets, let alone a dozen different versions. Moreover, in the case of federal campaigns in the United States, the 2002 McCain-Feingold campaign-finance act requires candidates to state they approve of an ad and thus take responsibility for its content.
The bold-face is mine (or actually my wife’s, who found and highlighted it for me).
The economic signaling value of an ad comes from what it costs. Only a brand with a lot of heft can afford to sponsor a publication or a mainstream broadcaster. But it’s super-cheap to run ads that narrowcast to just a few people. Or to put up a fake news site. (Both are big reasons why journalism is now drowning in a sea of content. Adtech is what paid publishing to trade journalism for “content generation.” This is a cancer on advertising, publishing and journalism, and makes adtech the Agent Smith of digital.)
What’s more, adtech has created environments where micro-targeted ads and adtech-funded fake news can work very effectively to destroy brands.
Consider this possibility: Trump and his sympathizers succeeded in destroying Hillary Clinton’s brand, and there wasn’t a damn thing any of her own big-budget and big-media branding efforts (#SafeAds all) could do about it. (And try, if you are a Trump sympathizer, to ignore whatever you think about how much Hillary brought it on herself or deserved it. In badness of the smear-worthy sort, she has plenty of company, especially Trump. In using modern adtech and fake news methods, the Trump campaign and those helping it were very smart and effective.)
As Siva says in his Times piece,
Ads on [Facebook] meant for, say, 20- to 30-year-old home-owning Latino men in Northern Virginia would not be viewed by anyone else, and would run only briefly before vanishing. The potential for abuse is vast. An ad could falsely accuse a candidate of the worst malfeasance a day before Election Day, and the victim would have no way of even knowing it happened. Ads could stoke ethnic hatred and no one could prepare or respond before serious harm occurs.
Can the GDPR address that problem?
Yes, by supporting individuals (not mere “users” or “consumers”) operating as first parties, getting the good publishers to agree not to run ads like the ones Siva describes, and to open the floodgates to brand ads that actually sponsor those publications, rather than regarding them as bait for shooting tracked eyeballs.
For today’s entries, I’m noting which linked pieces require you to turn off tracking protection, meaning tracking is required by those publishers. I’m also annotating entries with hashtags and organizing sections into bulleted lists.
The State of Ad Blocking and Online Ads: An Interview with Doc Searls (Matthew Maier in AdBlock) Pull quote: “What’s working is what has always worked: brand advertising in legacy print and broadcast media, and search advertising in the online world. Ads targeted at populations (rather than individuals) online also work, to the degrees that people are not bothered or creeped out by them. Not working is tracking-based ‘direct’ adtech, which succeeds because it’s called advertising, looks like advertising, and benefits from corporate appetites for the biggest possible data, and lots of maths to rationalize the expense.”
Apple reveals HomePod, a #privacy-focused smart #assistant (Zach Whittaker in ZDnet) Subhead: Throwing shade at its two data-hungry virtual assistant competitors, Amazon and Google, the iPhone maker said that nobody has “quite nailed it yet.” Pull-quote: “Apple’s logic is that, for the most part, it doesn’t want your data. Federighi reiterated that many of the advanced deep learning and artificial intelligence analysis — such as finding your location, facial recognition in photos, and setting calendar reminders — is done on the device, shutting Apple out of the loop — preventing anyone from asking Apple for data it doesn’t have. But for a company that doesn’t want your data — to make Siri better, it has increasingly been asking for it. Apple contends that it still doesn’t want to see your information.” Some #disambiguation is required there.
Why Does Apple Think It Can Get Away With Selling #Overpriced Stuff? (Mark Wilson in Co.Design) Pull-quote: “However, if Apple has any particular hope, it’s this: Amazon and Google are both invasive with consumer data. These companies track our activity largely with the goal of selling us something at just the right moment. Apple is far more transparent. It’s actively pushing machine learning to the device level by developing an on-device machine learning #APIandworking on a specialized machine learning chip to bring advanced AI to your phone, theoretically, without all your data going to a server, where it might be accessible by the government, advertisers, and more. It’s making cross-device #encryption a standard, which means a federal agent who seizes your phone at a border crossing—which happened during the Muslim ban—can’t as easily download its contents and read it all. And most of all, that new HomePod speaker, powered by Siri, will anonymize and encrypt everything you say. That means your private questions are not tied to your Apple ID for later reference. Such is not the case for Amazon’s and Google’s assistants. Apple has and will make trade-offs to protect consumer privacy. (Many of us, at the end of the day, get some value out of a Google knowing our history of things we’ve searched, even if it’s constantly #creepy.) It might not work, but at least we’re getting a clear picture of Apple’s big gamble going into the next decade: that people will continue paying more than they should for hardware, with the hope that it’s not just nicely designed, but that it operates with discretion, too.” All fine, but he misses another reason people pay more for Apple stuff: customer #support, especially at Apple Stores. Amazon and Google can’t, and don’t, compete.
Uber may, in Uber’s sole discretion, permit you from time to time to submit, upload, publish or otherwise make available to Uber through the Services textual, audio, and/or visual content and information, including commentary and feedback related to the Services, initiation of support requests, and submission of entries for competitions and promotions (“User Content”). Any User Content provided by you remains your property. However, by providing User Content to Uber, you grant Uber a worldwide, perpetual, irrevocable, transferable, royalty-free license, with the right to sublicense, to use, copy, modify, create derivative works of, distribute, publicly display, publicly perform, and otherwise exploit in any manner such User Content in all formats and distribution channels now known or hereafter devised (including in connection with the Services and Uber’s business and on third-party sites and services), without further notice to or consent from you, and without the requirement of payment to you or any other person or entity.
The emphasis is mine. Interesting legal hack there: you own your data, but you license it to them, on terms that grant you nothing and grant them everything.
Talk about a deal breaker. Wow. (Except it’s also the old deal.)
At the very least, Lyft should make hay on this, if they actually do have an advantage in the degree to which they protect privacy. (Denise, below, says they don’t. But hey, maybe they could if they wanted to compete on privacy.)
Here’s what matters (and remains unchanged from Denise’s corrections):::
We need our own terms. Meaning each of us should be the first party in agreements with service providers, not the second. Meaning they need to agree to our terms.
That’s Customer Commons’ reason for being. Just as Creative Commons is where you will find copyright terms you can assert as an artist, Customer Commons will be where you will find service terms you can assert as a customer.
With the wind of new .eu and .au privacy laws (e.g. the EU’s GDPR) at our backs, we stand a good chance of making this happen.
The question is how we can get some mojo behind it. Thoughts welcome. Shoulders to the wheel as well.